Due to a breach believed to be in the form of Rapax ransomware,
we would like to confirm the situation and provide a warning as follows.

Rapax Ransomware

The ransomware in question is called Rapax and appears to be changing all files with the file name and extension .rapax.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It is a C# .NET-based ransomware that appears to be re-executed with svchost after moving the Roaming folder, which is a characteristic of the Chaos family, and does not work on OSes of certain regional languages. Delete shadow copies and backup catalogs, and disable Windows Restore and Task Manager. It stops data and backup-related services and registers ransomware in the registry of startup programs.

  
  [Figure 3 Check whether a specific language pack is used (Turkish tr-TR / Azerbaijani az-Latn-AZ)]

  
  [Figure 4 Multiple commands through cmd]

  
  [Figure 5 Data and backup service name where stop command is executed]

  
  [Figure 6: Startup program registry registration and ransomware executable file in roaming folder]

Infection results

Instruction files are created as <instruction.txt> in each folder, and encrypted files are changed to <file name.extension.rapax>.

[Figure 7 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 8 Block message]

Watch Rapax blocking video